oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Null Pointer Dereference in HarfBuzz

From: Vincent Lefevre <vincent () vinc17 net>
Date: Tue, 13 Jan 2026 13:34:02 +0100
On 2026-01-12 23:33:37 -0600, Jacob Bachmeyer wrote:

The issue reported here is a write to address zero causing SIGSEGV.  I doubt
that compilers can optimize placement new to avoid writing through the given
pointer without introducing undefined behavior in correct programs, since
the contents of allocated-but-not-initialized memory are undefined.


Perhaps in the case of HarfBuzz. But this is not necessarily the case
everywhere. Consider the following code:

------------------------------------------------------------
#include <stdio.h>
#include <stdlib.h>

__attribute__((noipa)) // imagine it in a separate TU
int ptest (int *p)
{
  return p != 0;
}

int main (void)
{
  int *p = malloc (99999999999);
  int r = ptest (p);
  p[0] = 12345;
  free (p);
  printf ("%d\n", r);
  return 0;
}
------------------------------------------------------------

On my machine, with GCC and optimizations (e.g. -O), the output is 0
while such a value could be regarded as impossible by the program
Due to optimizations, one cannot rely on a crash if the memory could
not be allocated. So a more complex program would continue with
inconsistent information.

-- 
Vincent Lefèvre <vincent () vinc17 net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
Previous By Date Next
Previous By Thread Next

Current thread: